After First Unlock (AFU)

AFU: after first unlock, means the device is locked, but it has been unlocked since it booted up at least once. This is when the encryption keys are stored in RAM already and allows for a larger attack surface compared to BFU.

 

AFU vs. BFU

In contrast to AFU, there is another term called BFU (Before First Unlock), which refers to the state of a device before it has been unlocked after being powered on. The distinction between AFU and BFU is crucial because the data accessible in each state can differ significantly.

Importance of AFU in iOS Forensics

When an iOS device is powered on and in a BFU state, only a limited amount of data is available for extraction, such as some system files and databases. However, once the device is unlocked (AFU state), a wealth of additional data becomes accessible, including user-generated content like messages, photos, and application data.

For forensic investigators, it is often desirable to access a device in an AFU state to retrieve the most comprehensive set of data possible. However, this requires the investigator to have the means to unlock the device, such as a passcode, biometric data, or exploit.

 

FAQs

 

What does AFU mean in mobile forensics?

AFU stands for “After First Unlock” and refers to the state of a mobile device after it has been unlocked for the first time since being powered on.

 

Why is AFU important in iOS forensics?

AFU is important in iOS forensics because it allows access to a much larger pool of data compared to the limited data available in a BFU (Before First Unlock) state. In an AFU state, investigators can retrieve user-generated content and application data that may be crucial to a case.